1 setuid Demystified -- Examining the API of Security Operation in OS using Formal Models Hao Chen, David Wagner UC Berkeley Drew Dean SRI International.

Slides:



Advertisements
Similar presentations
TOCTTOU Attacks Don Porter CS 380S
Advertisements

More on File Management
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License. Unix system calls (part 1) history and.
Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.
Computer Science CSC 405 LabBy Yuzheng Zhou1 CSC 405 Introduction to Computer Security Lab session.
Secure Operating Systems Lesson 0x11h: Systems Assurance.
CS5261 Information Security CS 526 Topic 8: Operating Systems Security Basics & Unix Access Control Topic 8: Operating System Security Basics.
CS252: Systems Programming Ninghui Li Based on Slides by Prof. Gustavo Rodriguez-Rivera Topic 17: Signals, Process Credentials.
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 15 Implementation Flaws Part 3: Randomness and Timing Issues.
1 Property 3: standard file descriptors vulnerability attack.c at.c Standard File Descriptors 0:stdin 1:stdout 2:stderr close(1); close(2); execl(“at”,
Setuid Demystified (and how it may relate to stored procedure authorizations) Mahesh.
MOPS MOdelchecking Security Properties David Wagner U.C. Berkeley.
Software Security David Wagner University of California at Berkeley.
Chapter 8 Case Study: Solaris Trusted Extensions.
1 Security and Software Engineering Steven M. Bellovin AT&T Labs – Research
C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.
Getting Started with Linux Linux System Administration Permissions.
Efficient Protection of Kernel Data Structures via Object Partitioning Abhinav Srivastava, Jonathon Giffin AT&T Labs-Research, HP Fortify ACSAC 2012.
Reliability of Parallel Build Systems Derrick Coetzee, George Necula UC Berkeley Creative Commons Zero Waiver: To the extent possible under law, the author,
The Impact of Programming Language Theory on Computer Security Drew Dean Computer Science Laboratory SRI International.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
1 Nachos Introduction Lecturer: Tei-Wei Kuo TA: Ya-Su Chen, Yuan-Hao chang Date: 2005/10/19.
1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International.
Unix System Administration Rootly Powers Chapter 3.
Secure Operating Systems Lesson B: Let’s go break something.
Cosc 4010 Sandboxing. Last lecture Last time, we covered chroot, which is a method to "sandbox" a problem. –Not full proof by any means. Many simple mistakes.
Access Control in Unix and Windows Nicolas T. Courtois - University College London.
1 Security Chapter The security environment 9.2 Basics of cryptography 9.3 User authentication 9.4 Attacks from inside the system 9.5 Attacks from.
CS426Fall 2010/Lecture 91 Computer Security CS 426 Lecture 9 Unix Access Control.
Operating Systems David Goldschmidt, Ph.D. Computer Science The College of Saint Rose CIS 432.
Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 18: Protection Goals of Protection Objects and Domains Access Matrix Implementation.
CE Operating Systems Lecture 21 Operating Systems Protection with examples from Linux & Windows.
Linux Security. Authors:- Advanced Linux Programming by Mark Mitchell, Jeffrey Oldham, and Alex Samuel, of CodeSourcery LLC published by New Riders Publishing.
UNIX System Protection. Unix History Developed by Dennis Ritchie and Ken Thompson at AT&T Bell Labs Adapted some ideas from the Multics project in 1969.
Lecture 18 Page 1 CS 111 Online OS Use of Access Control Operating systems often use both ACLs and capabilities – Sometimes for the same resource E.g.,
A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.
1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International Proceedings of the 11th USENIX Security Symposium San Francisco, California,
Speaker: Xiaojiang Du Authors: Xiali Hei, Xiaojiang Du and Shan Lin Temple University.
Trusted Operating Systems
Information Security CS 526
Privilege Escalation Two case studies. Privilege Escalation To better understand how privilege escalation can work, we will look at two relatively recent.
Winter 2007SEG2101 Chapter 121 Chapter 12 Verification and Validation.
Race conditions and synchronization issues Exploiting UNIX.
1 Model Checking One Million Lines of C Code Hao Chen, UC Berkeley Drew Dean, SRI International David Wagner, UC Berkeley.
Lecture9 Page 1 CS 236 Online Operating System Security, Con’t CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
CSS430 Protection1 Textbook Ch14 These slides were compiled from the OSC textbook slides (Silberschatz, Galvin, and Gagne) and the instructor’s class materials.
MOPS: an Infrastructure for Examining Security Properties of Software Authors Hao Chen and David Wagner Appears in ACM Conference on Computer and Communications.
Secure System Development Mechanisms CS460 Cyber Security Lab Spring 2010.
Access Control. Many models Traditional Unix model Windows model Role-based access control (SE Linux)‏ Access control for confidentiality (Bell-La Padula.
Silberschatz, Galvin and Gagne ©2009Operating System Concepts – 8 th Edition Chapter 4: Threads.
Midterm NS Note = Anzahl Pkte/48 x /4; 2. 4/4; 3. 4/4; 4. 4/ /16; 6. 16/16 2.Durchschnitt: 4.5.
Company LOGO Security in Linux PhiHDN - VuongNQ. Contents Introduction 1 Fundamental Concepts 2 Security System Calls in Linux 3 Implementation of Security.
1 Chapter 5: Threads Overview Multithreading Models & Issues Read Chapter 5 pages
Jeremy Nimmer, page 1 Automatic Generation of Program Specifications Jeremy Nimmer MIT Lab for Computer Science Joint work with.
Computer System Structures
Let’s look at an example
CS703 - Advanced Operating Systems
SYSTEM ADMINISTRATION PART I by İlker Korkmaz and Kaya Oğuz
Operating Systems Protection Alok Kumar Jagadev.
Unix Access Control Basic CE 2
LINUX SECURITY Dongmei Wu ID: /25/00.
Verification of Software Security Properties
Figure 6-9: Managing Users and Groups
Presented by, Mr. Satish Pise
UNIX System Protection
CSE 451: Operating Systems Spring 2012 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.
Rootly Powers Chapter 3.
MOPS: an Infrastructure for Examining Security Properties of Software
Set-UID Privileged Programs
Race Condition Vulnerability
Presentation transcript:

1 setuid Demystified -- Examining the API of Security Operation in OS using Formal Models Hao Chen, David Wagner UC Berkeley Drew Dean SRI International

2 Objective Understand the semantics of security operation API in OS precisely Applications –Using these system calls properly in programs –Verifying their documentations –Detecting inconsistency in OS kernels –Building security properties and checking them in programs automatically (e.g. by modelchecker)

3 What is setuid Access control in Unix is based the User ID model Each process has 3 user Ids: –Real uid (ruid) –Effective uid (euid) –Saved uid (suid) Uid-setting system calls –setuid() seteuid() setreuid() setresuid()

4 The setuid Mystery Uid-setting system calls are a semantic mess –Counter-intuitive semantics –Subtle differences among different calls –Incompatible semantics of the same call in different Unix systems (e.g.: Linux, Solaris, FreeBSD) –Incomplete, inaccurate, or even wrong documentation Reason: historical artifacts

5 Solution: Formal Model Use a formal model to describe the user ID model Build an FSA where –The states describe the user IDs of a process –The transitions describe the semantics of the uid-setting system calls

6 Determine the States of the FSA Each state is a tuple (ruid, euid, suid) The range of user ID values determines the number of states Example: –A process switches between a privileged user ID and an unprivileged ID –2 user IDs: 0(root), x(non-root) –8 states

7 Problem: Difficult to Determine Transitions Large number of transitions. E.g. –Range of user ID values: {0, x} where x!=0 –Number of states: 8 –Number of transitions per state: setuid(uid): 2 transitions seteuid(euid): 2 transitions setreuid(ruid, euid): 4 transitions setresuid(ruid, euid, suid): 8 transitions –Total transitions: 8*( )=128 A laborious, error-prone process

8 Determine Transitions Automatically by Simulation Idea: Exhaustively make all system calls at each state For each state s=(ruid, euid, suid) where ruid, euid, suid  {0, uid 1, uid 2, …} For each system call c  {setuid(e), seteuid(e), setreuid(r,e), setresuid(r,e,s)} { Make the system call c in the state s Observe the ensuing state s’ Add the transition }

9 FSA for setuid() in FreeBSD

10 FSA for setuid() in Linux

11 FSA for setreuid() in Linux

12 FSA for setresuid() in Linux

13 Benefits Correctness: the FSA reflects what programs experience Efficiency: the automatic method is portable to –Different Unix systems –Different kernel versions

14 Application: Understanding the semantics of the system calls Find subtle semantic differences –Among different uid-setting system calls –Among the same system call on different Unix systems Find surprising, counter-intuitive semantics

15 Application: Verifying Man Pages Incompete man page –Man page for setuid() in Linux fails to mention capabilities which affect how setuid() behaves Wrong man pages –FreeBSD 4.4: Unprivileged users may change the ruid to the euid and vice versa –Redhat Linux 7.2: The setgid function checks if the egid of the caller and if it is the superuser, …

16 Application: Detecting Inconsistency in OS Kernel Linux has fsuid –Used for filesystem permission checking –Normally follows euid Invariant in Linux ( kernel/sys.c ) –fsuid is 0 only if at least one of ruid, euid, suid is 0 Rationale –ensuring that an fsuid-unware cross-platform application can automatically drop root privilege in fsuid by dropping it in ruid, euid, suid

17 Application: Detecting Inconsistency in OS Kernel (cont) A bug breaks the invariant: –The invariant is satisfied in setuid(), seteuid(), setreuid() –But it is broken in setresuid() We found the bug using the simulator The bug has been confirmed by Linus and Alan and will be fixed using our patch.

18 Application: Checking Proper Usage of Syscalls in Programs Modelchecking security properties in programs –Model a program as a PDA –Intersect the PDA (program) with the FSA of uid-setting system calls to get a new PDA –Check reachability of risky states in the new PDA Can answer questions like: –Can a uid-setting system call fail in this program? –Can this program fail to drop privilege? –Which part of this program run with privilege? Result: Found known bugs in sendmail and

19 Conclusion Formal models are useful in –Understanding the APIs of security operations –Verifying their documentations –Detecting inconsistency in OS kernels –Checking proper usage of security-relevant APIs in programs

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.